Microsoft’s monthly patch cycle for September has come out, and it’s something of a mixed bag for users. While there were only 5 advisories, all of them were rated as Critical by Microsoft, because if exploited all five could be used to execute arbitrary code on user systems.
The patches fix vulnerabilities in the JScript Scripting Engine (MS09-045), the DHTML Editing Component ActiveX control (MS09-46), the Windows Media Format runtime (MS09-47), the TCP/IP stack (MS09-48), and the Wireless LAN AutoConfig service (MS09-49). The following Microsoft operating systems are covered by at least one of the said bulletins: Windows 2000, Windows XP, Server 2003, Server 2008, and Vista. The final versions of Windows 7 and Server 2008 R2 are not affected by any of these vulnerabilities.
The MS09-45 and -46 vulnerabilities could affect users that visit malicious/compromised Web sites; MS09-47 affects users who open specially crafted media files. Meanwhile, MS09-48 and -49 affects users who are directly sent malicious data. Microsoft has rated MS09-45 and -47 as 1 on their Exploitability Index, which indicates that they believe that exploit code can be consistently produced for these vulnerabilities by cybercriminals in the future.
However, Windows users are not out of the woods just yet. A separate vulnerability has been found in both Vista and Server 2008’s implementation of the Server Message Block (SMB) protocol, which is largely used to share files and printers. According to the official Microsoft bulletin, the vulnerability could be used to take complete control over affected systems, although to date the proof-of-concept code encountered can only crash and restart affected systems. Like the vulnerabilities patched during Patch Tuesday, final versions of both Windows 7 and Server 2008 R2 are not affected. (The Windows 7 Release Candidate is, however, affected.)
Microsoft has so far not issued a patch to cover this latest security flaw; it is not known either if such a patch will be issued out-of-cycle, or be held until next month’s regular update schedule.
Users should run Windows Update and see if their systems have been patched to protect against these vulnerabilities. For most systems, this should have taken place automatically, but it’s still an excellent idea to double-check.
Trend Micro OfficeScan users with the Intrusion Defense Firewall plugin installed should apply the recent filter update (IDF09-027). This version contains protection from attacks exploiting the five patched vulnerabilities, as well as other potential security risks.